Earlier this week, in addition to the feature-packed Pixel Drop, Google rolled out a massive security update addressing over 100 vulnerabilities across the Android ecosystem. More concerning, however, is that two of these flaws are already being exploited by attackers in the real world.
A critical December patch
It’s that time of the month again, but the December 2025 security bulletin is a bit heavier than usual. Google has pushed fixes for a staggering 107 security flaws affecting everything from the basic system framework to chips made by Qualcomm and MediaTek.
While most of these are standard housekeeping, three specific issues stand out. According to the official bulletin, there are two high-severity vulnerabilities that hackers are already using:
CVE-2025-48572: An elevation of privilege flaw in the Framework, essentially giving an attacker more control over the device than they should have.
CVE-2025-48633: An information disclosure vulnerability, which could allow unauthorized access to private data.
Google also patched a critical bug (CVE-2025-48631) that could crash your device remotely without you even touching it. As usual, the company is keeping the specific details of how these attacks work under wraps to prevent copycats, simply stating that there is "limited, targeted exploitation."
Why this update matters
Android updates usually arrive staggered amongst different OEMs. | Image credit — Google
The phrase "targeted exploitation" is usually code for spyware or sophisticated attacks aimed at high-profile individuals, but that doesn't mean the average user is safe. In fact, the situation is serious enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these bugs to its "must-patch" list, giving federal agencies a hard deadline of December 23 to update their devices.
What this really shows is the perpetual messy state of Android updates compared to the competition. When Apple discovers a zero-day flaw in iOS, they can push a "Rapid Security Response" to nearly every iPhone on the planet simultaneously. In the Android world, unless you have a Google Pixel, you are often at the mercy of your manufacturer (like Samsung or Motorola) and your carrier to approve and push the update. It creates a fragmentation gap where a fix exists, but you might not be able to get it yet.
Recommended For You
Did you already receive the December 2025 Android Security Update?
No. The update isn’t available yet for my non-Pixel device
0%
No, the update hasn’t rolled out yet to my Pixel device.
100%
Yes, I installed the update.
0%
Don't ignore that notification
This is one of those times when I’d suggest you don't swipe away the update notification. While it’s frustrating that we still have to play the waiting game depending on which brand of phone we carry, the severity of active exploits makes this a priority.
If I were you, I’d dive into your settings menu right now and manually check for an update. If you are rocking a Pixel, it should be there waiting for you. If you’re on a Samsung Galaxy or another device, you might have to wait a few days, which is admittedly nerve-wracking when you know there are active threats out there.
The reality is that "limited" attacks have a nasty habit of becoming widespread once the code is figured out. It’s better to be safe, update as soon as possible, and maybe keep an eye on your banking apps until you’re patched up.
Johanna 'Jojo the Techie' is a skilled mobile technology expert with over 15 years of hands-on experience, specializing in the Google ecosystem and Pixel devices. Known for her user-friendly approach, she leverages her vast tech support background to provide accessible and insightful coverage on latest technology trends. As a recognized thought leader and former member of #TeamPixel, Johanna ensures she stays at the forefront of Google services and products, making her a reliable source for all things Pixel and ChromeOS.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: